Timing vulnerability? about bcrypt-ruby HOT 5 CLOSED

To be clear, I’ve personally softened my position since then. I don’t think using a constant-time comparison function adds any actual security, but if it makes people feel better (and therefore more likely to use bcrypt instead of rolling their own), the cost isn’t particularly high.

I’m not maintaining the codebase, however, so I’ll defer to those who would actually bear that cost.

from bcrypt-ruby.

No. One of the desired properties of a cryptographic hash function is preimage attack resistance, which means there is no shortcut for generating a message which, when hashed, produces a specific digest.

Finding a first-preimage attack for bcrypt would be surprising, to say the least.

from bcrypt-ruby.

Hey, I have been worried recently about this issue. I understand the reason why it is not needed, but it seems that other language implementations like timingsafe_bcmp.c in py-bcrypt or password_verify() in PHP use constant time functions, following defence in depth policy.

I just took this information from a post in security stackexchange:

For hashing schemes such as Bcrypt, Scrypt, etc., timing attacks are irrelevant. Using comparisons such as == and === isn't a problem. Having that said, using constant time comparison is a good practice as part of a defence-in-depth policy. In fact, many Bcrypt implementations already used timing-safe comparison just in case (timingsafe_bcmp.c in py-bcrypt, for example).

What do you think about it?

from bcrypt-ruby.

@waiting-for-dev See #43 for much more information about why this is unnecessary.

Regarding "defense in depth" for this specific issue, @codahale said it best on #43:

It's like saying holding an umbrella gives you a "slight advantage" over holding nothing over your head when a piano is dropped on you.

from bcrypt-ruby.

Ok, thanks for pointing me there :)

from bcrypt-ruby.